Context-based dynamic policy system for mobile devices and supporting network infrastructure

ABSTRACT

Systems and methods dynamically adapt network policies for mobile devices by accessing context-based values to allocate or restrict capabilities on the mobile devices or within the network. Context-based values may include position or velocity as well as more general environment features such as proximity of other devices, the presence or absence of other wireless signals or network traffic, parameters measured by local or remote sensors, user credentials, or unique user or signal inputs to the device. Relevant capabilities may include access to hardware and software interfaces and related parameter sets including priority settings.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Pat. No. 10,178,525, filed on Nov. 11, 2011, which claims the priority benefit of U.S. Provisional Application No. 61/413,402, filed Nov. 13, 2010, U.S. Provisional Application No. 61/413,406, filed Nov. 13, 2010, U.S. Provisional Application No. 61/413,407, filed Nov. 13, 2010, U.S. Provisional Application No. 61/431,673, filed Jan. 11, 2011, U.S. Provisional Application No. 61/431,680, filed Jan. 11, 2011, U.S. Provisional Application No. 61/437,195, filed Jan. 28, 2011, and U.S. Provisional Application No. 61/452,285, filed Mar. 14, 2011, each of which is incorporated herein by reference in its entirety.

BACKGROUND Technical Field

The present disclosure relates generally to communications networks and more particularly to communications networks that include mobile devices.

Description of Related Art

Communications networks must increasingly accommodate mobile devices whose changing coordinates may frustrate the goals of static network policies for managing system resources. Thus, there is a need for communications networks where system resources and policies can dynamically adapt to mobile devices.

SUMMARY

Certain embodiments provide systems and methods that dynamically adapt network policies for mobile devices by accessing context-based values that may include position or velocity to allocate or restrict capabilities on the mobile devices or within the network.

One embodiment relates to a method of providing a method of selecting a first network policy for a mobile device that operates as an endpoint in a communications network. The method includes storing network policy values for the mobile device in a storage system, where the network policy values relating context-based values for the mobile device to operational features for the mobile device. The method further includes receiving first context-based values for the mobile device from at least one context-based data source. The method further includes using the first context-based values to select the first network policy for the mobile device from the stored network policy values, where the first network policy specifies first operational features for the mobile device. The method further includes sending endpoint configuration values for the first network policy to an endpoint policy management unit to enforce the first network policy at the mobile device.

The context-based values for the mobile device may include at least one of position or velocity for the mobile device. The operational features for the mobile device may include at least one enabled component or disabled component at the mobile device. The at least one context-based data source may include a position or velocity sensor for the mobile device.

Selecting the first network policy may include accessing a dynamic policy function that relates the first context-based values to an enablement or disablement status for one or more hardware or software elements at the mobile device.

The endpoint policy management unit may send instructions corresponding to the first network policy to a mobile-device control unit that controls software and hardware operations at the mobile device.

The context-based values for the mobile device may include at least one performance characteristic within the mobile device or within network infrastructure that supports operations of the mobile device in the communications network.

The operational features for the mobile device may include at least one enabled function or disabled function within the mobile device or within network infrastructure that supports operations of the mobile device in the communications network.

The at least one context-based data source may include at least one performance measurement device within the mobile device or within network infrastructure that supports operations of the mobile device in the communications network.

The operational features for the mobile device may include an enablement or disablement for at least one function of network infrastructure that supports operations of the mobile device in the communications network, and the method may further include: sending network-infrastructure configuration values for the first network policy to a network infrastructure policy management unit to enforce the first network policy at the network infrastructure. Additionally, the network-infrastructure policy-management unit may send instructions corresponding to the first network policy to a network control unit that controls software and hardware operations at the network infrastructure.

Another embodiment relates to a method of implementing a network policy for a mobile device that operates as an endpoint in a communications network. The method includes receiving context-based values for the mobile device from at least one context-based data source. The method further includes sending the context-based values to a dynamic policy unit that determines network policies related to the mobile device from the context-based values. The method further includes receiving values for a network policy from the dynamic policy unit. The method further includes sending instructions to a control unit that enforces the network policy for at least a portion of the communications network.

The method may further include logging events including the context-based values and the network policy values in a storage system. The method may further include autonomously revising the network policy on the mobile device or within the network infrastructure based on the received context-based values.

The at least one context-based data source may be included in the mobile device, and the control unit may be a mobile-device control unit that controls at least some hardware or software of the mobile device.

The at least one context-based data source may be included in network infrastructure that supports operations of the mobile device in the communications network, and the control unit may be a network infrastructure control unit that controls at least some hardware or software of the network infrastructure.

Another embodiment relates to a computer-readable medium that stores (e.g., tangibly embodies) a computer program for carrying out the any one of the above-described methods with a computer. At least some values for the results of the method can be saved for later use in a computer-readable medium, including memory units and storage devices.

Another embodiment relates to an apparatus for carrying out any one of the above-described methods, where the apparatus includes a computer for executing instructions related to the method. For example, the computer may include a processor for executing at least some of the instructions. Additionally or alternatively the computer may include circuitry or other specialized hardware for executing at least some of the instructions. In some operational settings, the apparatus may be configured as a system that includes one or more units, each of which is configured to carry out some aspects of the method either in software, in hardware or in some combination thereof.

For example, another embodiment relates to an apparatus for selecting a first network policy for a mobile device that operates as an endpoint in a communications network, the apparatus comprising at least one computer to perform operations for a policy-storage module, a value-receiving module, a policy-selection module, and a value-sending module. The policy-storage module stores network policy values for the mobile device in a storage system, the network policy values relating context-based values for the mobile device to operational features for the mobile device. The value-receiving module receives first context-based values for the mobile device from at least one context-based data source. The policy-selection module uses the first context-based values to select the first network policy for the mobile device from the stored network policy values, the first network policy specifying first operational features for the mobile device. The value-sending module that sends endpoint values for the first network policy to an endpoint policy management unit to enforce the first network policy at the mobile device.

Another embodiment relates to an apparatus for implementing a network policy for a mobile device that operates as an endpoint in a communications network, the apparatus comprising at least one computer to perform operations for a data-retrieval module, and a dynamic-policy-enforcement module. The data-retrieval module receives context-based values for the mobile device from at least one context-based data source and sends the context-based values to a dynamic policy unit that determines network policies related to the mobile device from the context-based values. The dynamic-policy-enforcement module receives values for a network policy from the dynamic policy unit and sends instructions to a control unit that enforces the network policy for at least a portion of the communications network. The apparatus may further include an event-logging module that logs events including the context-based values and the network policy values in a storage system or an autonomous-configuration module that autonomously revises the network policy based on the received context-based values.

In these ways, aspects of the disclosed embodiments enable communications networks where system resources and policies can dynamically adapt to mobile devices.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that shows a communications network for an example embodiment.

FIG. 2 is a block diagram that shows further details related to the embodiment of FIG. 1.

FIG. 3 is a matrix that shows dynamic policies for mobile devices in the embodiment of FIG. 1.

FIG. 4 is a flowchart that shows a method of selecting a network policy for the embodiment of FIG. 1.

FIG. 5 is a block diagram that shows another communications network for an example embodiment.

FIG. 6 is a block diagram that shows further details related to the embodiment of FIG. 5.

FIG. 7 is a matrix that shows dynamic policies for network infrastructure in the embodiment of FIG. 5.

FIG. 8 is a flowchart that shows a method of selecting a network policy for the embodiment of FIG. 5.

FIG. 9 is a flowchart that shows a method of implementing a network policy for the embodiments of FIG. 1 and FIG. 5.

FIG. 10 is a block diagram that shows a schematic representation of an apparatus for an example embodiment.

FIG. 11 is a diagram that shows a computer processing system within which a set of instructions for causing the computer to perform any one of the methodologies discussed herein may be executed.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

FIG. 1 is a block diagram that shows a communications network 100 for an example embodiment. As discussed below in greater detail, a dynamic-policy unit 102 selects a network policy for a mobile device and communicates that policy to an endpoint policy-management unit 104. The dynamic-policy unit 102 receives context-based data from context-based data sources 106, which may include sensors at the mobile device. The endpoint policy-management unit 104 sends commands to enforce the network policy to a mobile-device control unit 108 that controls mobile-device hardware and software 110.

Mobile devices typically include cellular telephones, smart phones, tablets, laptops, portable computers, and other portable electronic devices and appliances. Context-based values typically include position or velocity for the mobile device. Context-based values may also include environmental factors such as proximity of other devices, the presence or absence of other wireless signals or network traffic, parameters measured by local or remote sensors, user credentials, or unique user or signal inputs to the device. Context-based values may also include state variables defined within an enterprise such as threat level, network state, or operational state.

FIG. 2 is a block diagram that shows further details related to the embodiment of FIG. 1. The dynamic-policy unit 102 includes a dynamic-policy function 202 and a dynamic-policy engine 204. The dynamic-policy function 202 accesses dynamic policies based on available context-based data. The dynamic policy engine 204 accesses context-based data from the context-based data sources 106 through a data-source connection platform 206 with data-source platform connectors 208 and applies the dynamic policy function 202 to determine a network policy for the mobile device. The dynamic-policy unit 102 communicates with the endpoint policy-management unit 104 through a network connection platform 210 with network connectors 212. The endpoint policy-management unit 104 includes dynamic-policy enforcement logic 214, and optionally data-retrieval logic 216, autonomous configuration logic 218, and event-logging logic 220.

The data-source connection platform 206 may be a Mobile Device Management (MDM) platform, a Mobile Service Management (MSM) platform, or an Endpoint Management Platform (EMP), each of which gives system administrators a centralized platform for the management of groups of mobile devices. The data-source connection platform 206 may be a Network Management Platform (NMP), which gives system administrators a centralized interface for managing and configuring network appliances and logic.

FIG. 3 is a matrix that shows dynamic policies for mobile devices in the embodiment of FIG. 1. The first column shows characteristics of the position and velocity of a mobile device including “highly trusted site,” “trusted location,” “off campus,” and “overseas.” The second through ninth columns show polices including enablement and disablement for hardware and software capabilities including microphone, WiFi, camera, Bluetooth, security settings, cell/WiFi networks allowed, phone numbers allowed, and software (SW) applications allowed. Other possible capabilities include access to hardware and software interfaces and related parameter sets including priority settings.

FIG. 4 is a flowchart that shows a method 400 of selecting a network policy for a mobile device that operates as an endpoint in a communications network in the embodiment of FIG. 1. A first block 402 includes storing network policy values for the mobile device in a storage system, where the network policy values relate context-based values for the mobile device to operational features for the mobile device. A second block 404 includes receiving first context-based values for the mobile device from at least one context-based data source. A third block 406 includes using the first context-based values to select the first network policy for the mobile device from the stored network policy values, where the first network policy specifies first operational features for the mobile device. A fourth block 408 includes sending endpoint values for the first network policy to an endpoint policy management unit to enforce the first network policy at the mobile device.

Note that the word first is used here and elsewhere for labeling purposes only and are not intended to denote any specific spatial or temporal ordering. Furthermore, the labeling of a first element does not imply the presence a second element.

The context-based values for the mobile device may include at least one of position or velocity for the mobile device. The operational features for the mobile device may include at least one enabled component or disabled component at the mobile device. The at least one context-based data source may include a position or velocity sensor for the mobile device.

Selecting the first network policy may include accessing a dynamic policy function that relates the first context-based values to an enablement or disablement status for one or more hardware or software elements at the mobile device.

The endpoint policy management unit may send instructions corresponding to the first network policy to a mobile-device control unit that controls software and hardware operations at the mobile device.

In addition to the operations at the mobile device, a network policy may affect operations at related network infrastructure, which typically includes servers, routers, and various support systems. These support systems may include functions for access control, authentication, quality of service, proxy services, load balancing, firewalls, security, encryption, and additional system functions.

FIG. 5 is a block diagram that shows another communications network 500 for an example embodiment where the embodiment of FIG. 1 is extended to include network infrastructure that supports operations of the mobile device in the communications network. As in FIG. 1, the communications network 500 includes a dynamic-policy unit 102 that selects a network policy for a mobile device and communicates that policy to an endpoint policy-management unit 104. Additionally as in FIG. 1, the endpoint policy-management unit 104 sends commands to enforce the network policy to a mobile-device control unit 108 that controls mobile-device hardware and software 110.

In this embodiment the dynamic-policy unit 102 receives context-based data from context-based data sources 106, which may include sensors at the mobile device and the network infrastructure. The dynamic-policy unit 102 selects a network policy for network infrastructure that supports operations of the mobile device and communicates that policy to a network-infrastructure policy-management unit 502. The network-infrastructure policy-management unit 502 sends commands to enforce the network policy to a network control unit 504 that controls network hardware and software 506.

FIG. 6 is a block diagram that shows further details related to the embodiment of FIG. 5, where the embodiment of FIG. 2 is extended to include network infrastructure that supports operations of the mobile device in the communications network. As in FIG. 2, the dynamic-policy unit 102 includes a dynamic-policy function 202 and a dynamic-policy engine 204. The dynamic-policy function 202 accesses dynamic policies based on available context-based data. The dynamic policy engine 204 accesses context-based data from the context-based data sources 106 through a data-source connection platform 206 with data-source platform connectors 208 and applies the dynamic policy function 202 to determine a network policy for the mobile device. The dynamic-policy unit 102 communicates with the endpoint policy-management unit 104 through a network connection platform 210 with network connectors 212. The endpoint policy-management unit 104 includes dynamic-policy enforcement logic 214, and optionally data-retrieval logic 216, autonomous configuration logic 218, and event-logging logic 220.

In FIG. 6, the dynamic policy engine 204 additionally accesses context-based data from the context-based data sources 106 and applies the dynamic policy function 202 to determine a network policy for the network infrastructure that supports operations of the mobile device in the communications network. The dynamic-policy unit 102 communicates with the network-infrastructure policy-management unit 502 through a network connection platform 602 with network connectors 604. The network-infrastructure policy-management unit 502 includes dynamic-policy enforcement logic 606, and optionally data-retrieval logic 608, autonomous configuration logic 610 and event-logging logic 612.

FIG. 7 is a matrix that shows dynamic policies for network infrastructure in the embodiment of FIG. 5. The first column shows characteristics of the position and velocity of a mobile device including “highly trusted site,” “trusted location,” “off campus,” and “overseas.” The second through seventh columns show polices including enablement and disablement for functional capabilities including quality of service and priority, network access control settings, proxy settings, authentication requirements, intrusion detection and prevention setting, and accessible networks, servers and directories. Other possible capabilities include access to hardware and software interfaces and related parameter sets including priority settings.

FIG. 8 is a flowchart that shows a method 800 of selecting a network policy for a mobile device that operates as an endpoint in a communications network in the embodiment of FIG. 5. The method 800 extends the embodiment of FIG. 4 to include policy management of related network infrastructure. As in FIG. 5, a first block 402 includes storing network policy values for the mobile device in a storage system, where the network policy values relate context-based values for the mobile device to operational features for the mobile device. A second block 404 includes receiving first context-based values for the mobile device from at least one context-based data source. A third block 406 includes using the first context-based values to select the first network policy for the mobile device from the stored network policy values, where the first network policy specifies first operational features for the mobile device. A fourth block 408 includes sending endpoint values for the first network policy to an endpoint policy management unit to enforce the first network policy at the mobile device. In this embodiment a fifth block 802 includes sending network-infrastructure values for the first network policy to a network-infrastructure policy management unit to enforce the first network policy at the network infrastructure.

Additional embodiments relate to operations at the endpoint policy-management unit 104 and the network-infrastructure policy-management unit 502 in FIGS. 2 and 6. FIG. 9 is a flowchart that shows a method 900 of implementing a network policy for the embodiments of FIG. 1 and FIG. 5. A first block 902 includes receiving context-based values for the mobile device from at least one context-based data source. A second block 904 includes sending the context-based values to a dynamic policy unit that determines network policies related to the mobile device from the context-based values. A third block 906 includes receiving values for a network policy from the dynamic policy unit. A fourth block 908 includes sending instructions to a control unit that enforces the network policy for at least a portion of the communications network. An optional fifth block 910 includes logging events including the context-based values and the network policy values in a storage system. An optional sixth block 912 includes autonomously revising the network policy based on the received context-based values.

The method may further include logging events including the context-based values and the network policy values in a storage system. The method may further include autonomously revising the network policy based on the received context-based values.

The at least one context-based data source may be included in the mobile device, and the control unit may be a mobile device control unit that controls at least some hardware or software of the mobile device.

The at least one context-based data source may be included in network infrastructure that supports operations of the mobile device in the communications network, and the control unit may be a network infrastructure control unit that controls at least some hardware or software of the network infrastructure.

FIG. 10 shows a schematic representation of an apparatus 1000, in accordance with an example embodiment for selecting a network policy for a mobile device that operates as an endpoint in a communications network. In this case, the apparatus 1000 includes at least one computer system (e.g., as in FIG. 11) to perform software and hardware operations for modules that carry out aspects of the method 400 of FIG. 4 or the method 800 of FIG. 8.

In accordance with an example embodiment, the apparatus 1000 includes a policy-storage module 1002, a value-receiving module 1004, a policy-selection module 1004, a policy-selection module 1004, and a value-sending module 1004.

The policy-storage module 1002 stores network policy values for the mobile device in a storage system, where the network policy values relate context-based values for the mobile device to operational features for the mobile device. The value-receiving module 1004 receives first context-based values for the mobile device from at least one context-based data source. The policy-selection module 1004 uses the first context-based values to select the first network policy for the mobile device from the stored network policy values, where the first network policy specifies first operational features for the mobile device. The value-sending module 1004 sends endpoint values for the first network policy to an endpoint policy management unit to enforce the first network policy at the mobile device.

In the case where the selected network policy affects operations at network infrastructure (e.g., as in FIG. 8), the value-sending module 1004 may also send network-infrastructure values for the first network policy to an network-infrastructure policy-management unit to enforce the first network policy at the mobile device.

FIG. 11 is a block diagram of machine in the example form of a computer system 1100 within which instructions for causing the machine to perform any one or more of the methodologies discussed here may be executed. In alternative embodiments, the machine operates as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine may operate in the capacity of a server or a client machine in server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.

The example computer system 1100 includes a processor 1102 (e.g., a central processing unit (CPU), a graphics processing unit (GPU) or both), a main memory 1104 and a static memory 1106, which communicate with each other via a bus 1108. The computer system 1100 may further include a video display unit 1110 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)). The computer system 1100 also includes an alphanumeric input device 1112 (e.g., a keyboard), a user interface (UI) navigation device 1114 (e.g., a mouse), a disk drive unit 1116, a signal generation device 1118 (e.g., a speaker) and a network interface device 1120.

In some contexts, a computer-readable medium may be described as a machine-readable medium. The disk drive unit 1116 includes a machine-readable medium 1122 on which is stored one or more sets of data structures and instructions 1124 (e.g., software) embodying or utilizing any one or more of the methodologies or functions described herein. The instructions may also reside, completely or at least partially, within the main memory 1104 and/or within the processor 1102 during execution thereof by the computer system 1100, with the main memory 1104 and the processor 1102 also constituting machine-readable media.

While the machine-readable medium 1122 is shown in an example embodiment to be a single medium, the terms “machine-readable medium” and “computer-readable medium” may each refer to a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of data structures and instructions 1124. These terms shall also be taken to include any tangible or non-transitory medium that is capable of storing, encoding or carrying instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies disclosed herein, or that is capable of storing, encoding or carrying data structures utilized by or associated with such instructions. These terms shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media. Specific examples of machine-readable or computer-readable media include non-volatile memory, including by way of example semiconductor memory devices, e.g., Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; Compact Disc Read-Only Memory (CD-ROM) and Digital Versatile Disc Read-Only Memory (DVD-ROM).

The instructions 1124 may further be transmitted or received over a communications network 1126 using a transmission medium. The instructions 1124 may be transmitted using the network interface device 1120 and any one of a number of well-known transfer protocols (e.g., Hypertext Transfer Protocol (HTTP)). Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, mobile telephone networks, Plain Old Telephone (POTS) networks, and wireless data networks (e.g., WiFi and WiMax networks). The term “transmission medium” shall be taken to include any intangible medium that is capable of storing, encoding or carrying instructions for execution by the machine, and includes digital or analog communications signals or other intangible media to facilitate communication of such software.

Certain embodiments are described herein as including logic or a number of components, modules, or mechanisms. Modules may constitute either software modules or hardware-implemented modules. A hardware-implemented module is a tangible unit capable of performing certain operations and may be configured or arranged in a certain manner. In example embodiments, one or more computer systems (e.g., a standalone, client or server computer system) or one or more processors may be configured by software (e.g., an application or application portion) as a hardware-implemented module that operates to perform certain operations as described herein.

In various embodiments, a hardware-implemented module (e.g., a computer-implemented module) may be implemented mechanically or electronically. For example, a hardware-implemented module may comprise dedicated circuitry or logic that is permanently configured (e.g., as a special-purpose processor, such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC)) to perform certain operations. A hardware-implemented module may also comprise programmable logic or circuitry (e.g., as encompassed within a general-purpose processor or other programmable processor) that is temporarily configured by software to perform certain operations. It will be appreciated that the decision to implement a hardware-implemented module mechanically, in dedicated and permanently configured circuitry, or in temporarily configured circuitry (e.g., configured by software) may be driven by cost and time considerations.

Accordingly, the term “hardware-implemented module” (e.g., a “computer-implemented module”) should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired) or temporarily or transitorily configured (e.g., programmed) to operate in a certain manner and/or to perform certain operations described herein. Considering embodiments in which hardware-implemented modules are temporarily configured (e.g., programmed), each of the hardware-implemented modules need not be configured or instantiated at any one instance in time. For example, where the hardware-implemented modules comprise a general-purpose processor configured using software, the general-purpose processor may be configured as respective different hardware-implemented modules at different times. Software may accordingly configure a processor, for example, to constitute a particular hardware-implemented module at one instance of time and to constitute a different hardware-implemented module at a different instance of time.

Hardware-implemented modules can provide information to, and receive information from, other hardware-implemented modules. Accordingly, the described hardware-implemented modules may be regarded as being communicatively coupled. Where multiple of such hardware-implemented modules exist contemporaneously, communications may be achieved through signal transmission (e.g., over appropriate circuits and buses) that connect the hardware-implemented modules. In embodiments in which multiple hardware-implemented modules are configured or instantiated at different times, communications between such hardware-implemented modules may be achieved, for example, through the storage and retrieval of information in memory structures to which the multiple hardware-implemented modules have access. For example, one hardware-implemented module may perform an operation, and store the output of that operation in a memory device to which it is communicatively coupled. A further hardware-implemented module may then, at a later time, access the memory device to retrieve and process the stored output. Hardware-implemented modules may also initiate communications with input or output devices, and can operate on a resource (e.g., a collection of information).

The various operations of example methods described herein may be performed, at least partially, by one or more processors that are temporarily configured (e.g., by software) or permanently configured to perform the relevant operations. Whether temporarily or permanently configured, such processors may constitute processor-implemented modules that operate to perform one or more operations or functions. The modules referred to herein may, in some example embodiments, comprise processor-implemented modules.

Similarly, the methods described herein may be at least partially processor-implemented. For example, at least some of the operations of a method may be performed by one or processors or processor-implemented modules. The performance of certain of the operations may be distributed among the one or more processors, not only residing within a single machine, but deployed across a number of machines. In some example embodiments, the processor or processors may be located in a single location (e.g., within a home environment, an office environment or as a server farm), while in other embodiments the processors may be distributed across a number of locations.

The one or more processors may also operate to support performance of the relevant operations in a “cloud computing” environment or as a “software as a service” (SaaS). For example, at least some of the operations may be performed by a group of computers (as examples of machines including processors), these operations being accessible via a network (e.g., the Internet) and via one or more appropriate interfaces (e.g., Application Program Interfaces (APIs)).

Although only certain embodiments have been described in detail above, those skilled in the art will readily appreciate that many modifications are possible without materially departing from the novel teachings of this disclosure. For example, aspects of embodiments disclosed above can be combined in other combinations to form additional embodiments. Accordingly, all such modifications are intended to be included within the scope of this disclosure. 

What is claimed is:
 1. A method, comprising: receiving, with a computer system, context-based values for a mobile device from at least one context-based data source, the context-based values for the mobile device including a value indicative of a spatial position of the mobile device; using, with the computer system, the context-based values to select a network policy from a plurality of network policies, wherein: the using the context-based values to select the network policy from the plurality of network policies includes accessing a dynamic policy function that relates the context-based values to an enablement or a disablement status for one or more hardware or software elements at the mobile device, the network policy is selected based on both position and velocity of the mobile device, the network policy indicates enablement or disablement of software or hardware operations of the mobile device, the network policy indicates enablement or disablement of operations of network infrastructure, the network infrastructure supports operations of the mobile device in a communications network, the network policy specifies a number of factors required for authentication, and the network policy specifies which directories are accessible to the mobile device; and sending, with the computer system, instructions to enforce the network policy at the mobile device and at the network infrastructure, wherein: at least some of the instructions control aspects of the software or hardware operations of the mobile device by at least one of the following: enablement of a microphone, enablement of wireless networks, enablement of a camera, enablement of Bluetooth, enablement of security settings, enablement of a WiFi connection, enablement of phone numbers, enablement of software applications, enablement of a priority setting, disablement of a microphone, disablement of wireless networks, disablement of a camera, disablement of Bluetooth, disablement of security settings, disablement of a WiFi connection, disablement of phone numbers, disablement of software applications, or disablement of a priority setting, and at least some of the instructions control aspects of the operations of the network infrastructure by at least two of the following: enablement of a quality of service setting, enablement of a priority setting, enablement of a network access control setting, enablement of a proxy setting, enablement of an authentication requirement, enablement of an intrusion detection setting, enablement of an intrusion prevention setting, enablement of access to a network, enablement of access to a servers, enablement of access to a directory, disablement of a quality of service setting, disablement of a priority setting, disablement of a network access control setting, disablement of a proxy setting, disablement of an authentication requirement, disablement of an intrusion detection setting, disablement of an intrusion prevention setting, disablement of access to a network, disablement of access to a server, or disablement of access to a directory.
 2. The method of claim 1, wherein at least some of the instructions control aspects of the software or hardware operations of the mobile device by at least two of the following: enablement of a microphone, enablement of wireless networks, enablement of a camera, enablement of Bluetooth, enablement of security settings, enablement of a WiFi connection, enablement of phone numbers, enablement of software applications, enablement of a priority setting, disablement of a microphone, disablement of wireless networks, disablement of a camera, disablement of Bluetooth, disablement of security settings, disablement of a WiFi connection, disablement of phone numbers, disablement of software applications, or disablement of a priority setting.
 3. The method of claim 1, wherein at least some of the instructions control aspects of the operations of the network infrastructure by at least six of the following: enablement of a quality of service setting, enablement of a priority setting, enablement of a network access control setting, enablement of a proxy setting, enablement of an authentication requirement, enablement of an intrusion detection setting, enablement of an intrusion prevention setting, enablement of access to a network, enablement of access to a servers, enablement of access to a directory, disablement of a quality of service setting, disablement of a priority setting, disablement of a network access control setting, disablement of a proxy setting, disablement of an authentication requirement, disablement of an intrusion detection setting, disablement of an intrusion prevention setting, disablement of access to a network, disablement of access to a server, or disablement of access to a directory.
 4. The method of claim 1, wherein at least some of the instructions control aspects of the software or hardware operations of the mobile device by at least four of the following: enablement of a microphone, enablement of wireless networks, enablement of a camera, enablement of Bluetooth, enablement of security settings, enablement of a WiFi connection, enablement of phone numbers, enablement of software applications, enablement of a priority setting, disablement of a microphone, disablement of wireless networks, disablement of a camera, disablement of Bluetooth, disablement of security settings, disablement of a WiFi connection, disablement of phone numbers, disablement of software applications, or disablement of a priority setting.
 5. The method of claim 1, wherein at least some of the instructions control aspects of the operations of the network infrastructure by at least four of the following: enablement of a quality of service setting, enablement of a priority setting, enablement of a network access control setting, enablement of a proxy setting, enablement of an authentication requirement, enablement of an intrusion detection setting, enablement of an intrusion prevention setting, enablement of access to a network, enablement of access to a servers, enablement of access to a directory, disablement of a quality of service setting, disablement of a priority setting, disablement of a network access control setting, disablement of a proxy setting, disablement of an authentication requirement, disablement of an intrusion detection setting, disablement of an intrusion prevention setting, disablement of access to a network, disablement of access to a server, or disablement of access to a directory.
 6. The method of claim 1, wherein the context-based values for the mobile device further include another value indicative of a velocity of the mobile device.
 7. The method of claim 1, wherein at least some of the context-based values are indicative of at least one of proximity of other computing devices to the mobile device, presence of other wireless signals, network traffic, parameters measured by local or remote sensors, user credentials, or unique user or signal inputs to the mobile device.
 8. The method of claim 1, wherein sending the instructions includes sending endpoint configuration values for the network policy to an endpoint policy management unit to enforce the network policy at the mobile device.
 9. The method of claim 8, wherein the endpoint policy management unit sends the instructions corresponding to the network policy to a mobile-device control unit that controls the enablement or disablement of software or hardware operations of the mobile device.
 10. The method of claim 9, wherein the endpoint policy management unit is external to the mobile device and the mobile-device control unit is included in the mobile device.
 11. The method of claim 1, wherein sending the instructions to enforce the network policy at the network infrastructure includes sending network-infrastructure configuration values for the network policy to a network-infrastructure policy management unit to enforce the network policy at the network infrastructure.
 12. The method of claim 1, wherein the at least one context-based data source includes at least one performance measurement device within the mobile device or within the network infrastructure that supports the operations of the mobile device.
 13. The method of claim 1, further comprising: automatically revising the network policy based on other received context-based values.
 14. The method of claim 1, further comprising: steps for selecting the network policy for the mobile device.
 15. The method of claim 1, further comprising: steps for enforcing the network policy.
 16. The method of claim 1, wherein: the context-based values include state variables defined within an enterprise.
 17. The method of claim 1, wherein: using the context-based values is performed by means for giving system administrators a centralized platform for the management of groups of mobile devices.
 18. The method of claim 1, wherein: the network policy disables a camera and a radio of the mobile device; and the network policy specifies proxy settings of the mobile device.
 19. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising: receiving, with a computer system, context-based values for a mobile device from at least one context-based data source, the context-based values for the mobile device including a value indicative of a spatial position of the mobile device; using, with the computer system, the context-based values to select a network policy from a plurality of network policies, wherein: the using the context-based values to select the network policy from the plurality of network policies includes accessing a dynamic policy function that relates the context-based values to an enablement or a disablement status for one or more hardware or software elements at the mobile device, the network policy is selected based on both position and velocity of the mobile device, the network policy indicates enablement or disablement of software or hardware operations of the mobile device, the network policy indicates enablement or disablement of operations of network infrastructure, the network infrastructure supports operations of the mobile device in a communications network; the network policy specifies a number of factors required for authentication, and the network policy specifies which directories are accessible to the mobile device, and sending, with the computer system, instructions to enforce the network policy at the mobile device and at the network infrastructure, wherein: at least some of the instructions control aspects of the software or hardware operations of the mobile device by at least one of the following: enablement of a microphone, enablement of wireless networks, enablement of a camera, enablement of Bluetooth, enablement of security settings, enablement of a WiFi connection, enablement of phone numbers, enablement of software applications, enablement of a priority setting, disablement of a microphone, disablement of wireless networks, disablement of a camera, disablement of Bluetooth, disablement of security settings, disablement of a WiFi connection, disablement of phone numbers, disablement of software applications, or disablement of a priority setting, and at least some of the instructions control aspects of the operations of the network infrastructure by at least two of the following: enablement of a quality of service setting, enablement of a priority setting, enablement of a network access control setting, enablement of a proxy setting, enablement of an authentication requirement, enablement of an intrusion detection setting, enablement of an intrusion prevention setting, enablement of access to a network, enablement of access to a servers, enablement of access to a directory, disablement of a quality of service setting, disablement of a priority setting, disablement of a network access control setting, disablement of a proxy setting, disablement of an authentication requirement, disablement of an intrusion detection setting, disablement of an intrusion prevention setting, disablement of access to a network, disablement of access to a server, or disablement of access to a directory.
 20. The medium of claim 19, wherein at least some of the instructions control aspects of the software or hardware operations of the mobile device by at least two of the following: enablement of a microphone, enablement of wireless networks, enablement of a camera, enablement of Bluetooth, enablement of security settings, enablement of a WiFi connection, enablement of phone numbers, enablement of software applications, enablement of a priority setting, disablement of a microphone, disablement of wireless networks, disablement of a camera, disablement of Bluetooth, disablement of security settings, disablement of a WiFi connection, disablement of phone numbers, disablement of software applications, or disablement of a priority setting.
 21. The medium of claim 19, wherein at least some of the instructions control aspects of the operations of the network infrastructure by at least six of the following: enablement of a quality of service setting, enablement of a priority setting, enablement of a network access control setting, enablement of a proxy setting, enablement of an authentication requirement, enablement of an intrusion detection setting, enablement of an intrusion prevention setting, enablement of access to a network, enablement of access to a servers, enablement of access to a directory, disablement of a quality of service setting, disablement of a priority setting, disablement of a network access control setting, disablement of a proxy setting, disablement of an authentication requirement, disablement of an intrusion detection setting, disablement of an intrusion prevention setting, disablement of access to a network, disablement of access to a server, or disablement of access to a directory.
 22. The medium of claim 19, wherein at least some of the instructions control aspects of the software or hardware operations of the mobile device by at least four of the following: enablement of a microphone, enablement of wireless networks, enablement of a camera, enablement of Bluetooth, enablement of security settings, enablement of a WiFi connection, enablement of phone numbers, enablement of software applications, enablement of a priority setting, disablement of a microphone, disablement of wireless networks, disablement of a camera, disablement of Bluetooth, disablement of security settings, disablement of a WiFi connection, disablement of phone numbers, disablement of software applications, or disablement of a priority setting.
 23. The medium of claim 19, wherein at least some of the instructions control aspects of the operations of the network infrastructure by at least four of the following: enablement of a quality of service setting, enablement of a priority setting, enablement of a network access control setting, enablement of a proxy setting, enablement of an authentication requirement, enablement of an intrusion detection setting, enablement of an intrusion prevention setting, enablement of access to a network, enablement of access to a servers, enablement of access to a directory, disablement of a quality of service setting, disablement of a priority setting, disablement of a network access control setting, disablement of a proxy setting, disablement of an authentication requirement, disablement of an intrusion detection setting, disablement of an intrusion prevention setting, disablement of access to a network, disablement of access to a server, or disablement of access to a directory.
 24. The medium of claim 19, wherein the context-based values for the mobile device further include another value indicative of a velocity of the mobile device.
 25. The medium of claim 19, wherein at least some of the context-based values are indicative of at least one of proximity of other computing devices to the mobile device, presence of other wireless signals, network traffic, parameters measured by local or remote sensors, user credentials, or unique user or signal inputs to the mobile device.
 26. The medium of claim 19, wherein sending the instructions includes sending endpoint configuration values for the network policy to an endpoint policy management unit to enforce the network policy at the mobile device.
 27. The medium of claim 26, wherein the endpoint policy management unit sends the instructions corresponding to the network policy to a mobile-device control unit that controls the enablement or disablement of software or hardware operations of the mobile device.
 28. The medium of claim 27, wherein the endpoint policy management unit is external to the mobile device and the mobile-device control unit is included in the mobile device.
 29. The medium of claim 19, wherein sending the instructions to enforce the network policy at the network infrastructure includes sending network-infrastructure configuration values for the network policy to a network-infrastructure policy management unit to enforce the network policy at the network infrastructure.
 30. The medium of claim 19, wherein the at least one context-based data source includes at least one performance measurement device within the mobile device or within the network infrastructure that supports the operations of the mobile device.
 31. The medium of claim 19, the operations further comprising: automatically revising the network policy based on other received context-based values.
 32. The medium of claim 19, the operations further comprising: steps for selecting the network policy for the mobile device.
 33. The medium of claim 19, the operations further comprising: steps for enforcing the network policy.
 34. The medium of claim 19, wherein: the context-based values include state variables defined within an enterprise.
 35. The medium of claim 19, wherein: using the context-based values is performed by means for giving system administrators a centralized platform for the management of groups of mobile devices.
 36. The medium of claim 19, wherein: the network policy disables a camera and a radio of the mobile device; and the network policy specifies proxy settings of the mobile device. 